Permission issue with Tags when sharing resources #173
Description
use-case: network-admin account creates and shares (via RAM) service-network with developer-accounts.
Here's a snapshot of such a RAM shared SN. Note that the tags of the SN are not visible in the developer-account (I am logged into the developer-account with AdministratorAccess privileges)
Now when the developer-account tries to create a gateway, these errors show up:
2023-03-28T00:07:18Z INFO GatewayReconciler {"controller": "gateway", "controllerGroup": "gateway.networking.k8s.io", "controllerKind": "Gateway", "Gateway": {"name":"lattice-sn","namespace":"default"}, "namespace": "default", "name": "lattice-sn", "reconcileID": "c4d8ae21-3219-48ca-8527-d8c0061ac4c6"} 2023-03-28T00:07:18Z INFO reconcile gateway resource {"controller": "gateway", "controllerGroup": "gateway.networking.k8s.io", "controllerKind": "Gateway", "Gateway": {"name":"lattice-sn","namespace":"default"}, "namespace": "default", "name": "lattice-sn", "reconcileID": "c4d8ae21-3219-48ca-8527-d8c0061ac4c6"} 2023-03-28T00:07:18Z INFO Successfully built model {"controller": "gateway", "controllerGroup": "gateway.networking.k8s.io", "controllerKind": "Gateway", "Gateway": {"name":"lattice-sn","namespace":"default"}, "namespace": "default", "name": "lattice-sn", "reconcileID": "c4d8ae21-3219-48ca-8527-d8c0061ac4c6", "{\"id\":\"default/lattice-sn\",\"resources\":{\"AWS::VPCServiceNetwork::ServiceNetwork\":{\"ServiceNetwork\":{\"spec\":{\"name\":\"lattice-sn\",\"account\":\"594270053243\",\"AssociateToVPC\":true,\"IsDeleted\":false}}}}}": ""} E0328 00:07:18.810590 1 request.go:539] Failed request: VpcLattice/ListTagsForResource, Payload: { ResourceArn: "arn:aws:vpc-lattice:us-west-2:064153202663:servicenetwork/sn-0fb3ede2bf8ae004a"}, Error: AccessDeniedException: User: arn:aws:sts::594270053243:assumed-role/eksctl-eks-cluster-2-addon-iamserviceaccount-Role1-1FC0M5CDOHCNN/1679961142742761882 is not authorized to perform: vpc-lattice:ListTagsForResource on resource: arn:aws:vpc-lattice:us-west-2:064153202663:servicenetwork/sn-0fb3ede2bf8ae004a >>>>>> Retrying Reconcile after 20 seconds ... because of this, the gateway stays in the 'waiting for controller' state:
aichadha@88665a367681 Setup % kubectl get gateway lattice-sn -oyaml apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: annotations: application-networking.k8s.aws/lattice-vpc-association: "true" kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"gateway.networking.k8s.io/v1beta1","kind":"Gateway","metadata":{"annotations":{"application-networking.k8s.aws/lattice-vpc-association":"true"},"name":"lattice-sn","namespace":"default"},"spec":{"gatewayClassName":"amazon-vpc-lattice","listeners":[{"name":"http","port":80,"protocol":"HTTP"}]}} creationTimestamp: "2023-03-27T23:57:33Z" finalizers: - gateway.k8s.aws/resources generation: 1 name: lattice-sn namespace: default resourceVersion: "10711" uid: bd1f4512-0ef6-4eb1-810a-e0fc1fbb3285 spec: gatewayClassName: amazon-vpc-lattice listeners: - allowedRoutes: namespaces: from: Same name: http port: 80 protocol: HTTP status: conditions: - lastTransitionTime: "1970-01-01T00:00:00Z" message: Waiting for controller reason: NotReconciled status: Unknown type: Accepted aichadha@88665a367681 Setup %